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[57] ABSTRACT 

Apparatus and a method are disclosed to enable on-line 
modification and upgrading of terminal software in a 
commimication network while maintaining the integrity 
of communication between a service provider and a 
subscriber using the network. Sofhvare is downloaded 
on a booter channel on the communication network. A 
subscriber terminal, coupled to the network initiates a 
comjnunication with the network to receive down- 
loaded booter data. The downloaded data is stored, and 
a checksum is computed from at least a portion of the 
downloaded data. The checksum is tested for validity, 
and control of the subscriber terminal is released to the 
downloaded soAware only if the checksum is valid. 

12 Claims, 3 Drawing Sheets 
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loaded via the communication network. Thus» terminal 

BOOTSTRAP CHANNEL SECURTTY products can evolve in place, rather than bdng made 

ARRANGENfENT FOR COMMUNICATION obsolete by changing market demands. An additional 

NETWORK benefit of this approach is the ability to page individual 

- 5 software modules off of network channels on demand, 

FIELD OF THE INVENTION reconfiguring subscriber terminals to optimally support 

This invention relates to digital communication utiliz- * widt variety of diverse applications depending on 

ing a communication network, for example a two-way what a given subscriber desires to do at a particular 

cable television (CATV) network. moment 

n A.^n-^n^TT^.T^ ^^^^ ^ potential problem may arise, however, with the 

BACKGROUND OF THE INVENTION downloading of software iitolubscriber t«Ua]s. In 

Communication networks providing for bi-direc- particular, a system intruder could download fraudulent 
tional conununication are well-known;. An example of software into a subscriber terminal, which data would 

such a network, embodied in a CATV communication be used to take control of the terminal without knowl- 

system, is provided in commonly assigned co-pending edge by the system operator or the subscriber. The 

U.S. patent application Ser. No. 06/373,765, filed Apr, intruder could then access a subscriber's bank account, 

30, 1982, now U.S. Pat. No. 4,533,948 entitled "CATV shop at home account, or conduct other transactions 

Communication System", and incorporated herein by and thereby steal funds, goods, and services, 

reference (hereinafter, "the co-pending application"). it would be advantageous to provide a communica* 

The pending application referred to discloses a com- ^ don network which enables software to be downloaded 

munication network buflt around frequency agile into subscriber terminals without opening the network 

modems accessing multiple medium speed (128 kbp/s) to intrusion by an unscrupulous third party. The present 

channel pairs which are frequency division multiplexed invention relates to apparatus and a method for provid- 

mto the available RF spectrum. Each channel pair com- i„ ^ communication network, 
pnses an upstream commumcation channel and a down- 

stream communication channel. Each channel can carry SUMMARY OF THE INVENTION 

a plurality of different signals through weU known i„ accordance with tiie.present invention, apparatus 

H^^^-V^' '"^^ ^ ^ is provided for enabling on-line modification ^!nd up- 

CSMA/CD and described m the copending apphca- ^ ^ ^ commumcation net- 

tton. This approach, as conUasted with the high speed 30 * . * , ■ . • • it "ci 

(10 Mbp/s) baseband approach which is iiSere^ r'^. "^^8 the mtegnty of commumca- 

distance limited, is not only compatible with standard ^^'^ i?^" provider and a subscriber usmg 

CATV systems but has the geographic reach to cover ? ^ network. T^ apparatus mcludes booter means for 

even the largest CATV trunk runs (up to 30 miles). downloadmg software via the commumcaUon network. 

Various applications are envisioned for such commu- 35 ^ subscriber terminal, coupled to the communication 
nication networks. Such applications include consumer network, mcludes means for mitiating a commumcation 
or commercial services such as home banking, elec- network to receive data downloaded from the 
tronic mail and newspapers, shop at home, and the like. footer means, means for storing data downloaded from 
A provider of such services can couple its computers to booter means, and means for computing a checksum 
the communication network so that the services can be 40 ^ portion of data downloaded from the 
accessed by a subscriber using an appropriate terminal booter means. Means are also provided for testing the 
("subscriber terminal") coupled to the network. In pro- checksum for validity, and releasing control of the sub- 
viding such services, it is essential that security be pro- scribcr terminal to software downloaded from the 
vidcd. For example, a home banking customer must be booter means only if the checksum is valid, 
able to accomplish transactions without divulging his 45 subscriber terminal can further include a secret 
personal identification number or other password to an encryption key. Network control center means is pro- 
intruder who may be monitoring the communication vided for maintaining a record of the secret encryption 
network. key, whereby encrypted communication between the 

A subscriber terminal may take several different subscriber terminal and the network control center 

forms, ranging from one with no intelligence to a 50 means can take place with the encryption based upon 

"smart terminal'* with the ability to complete various secret encryption key. The checksum computed by 

tasks locally. Smart terminals are desirable because they the subscriber terminal can be encrypted using the se- 

can relieve the communication network and its associ- cret encryption key and communicated over the com- 

ated controllers from tasks which do not relate strictly munication network to the network control center 

to the provision of communication services. The operat- S5 means. Means associated with the network control cen- 

ing system, communications protocol software, display ter decrypts the encrypted checksum to enable verifica- 

package, and user interface software for the smart ter- tion thereof. 

minal can be provided on a disk or other storage me- Alternately, the network control center means can 
dium used with the terminal, can be fixed in read only store a valid checksum corresponding to data down- 
memory (ROM) installed in the terminal, or down- 60 loaded from the booter means. This checksum can be 
loaded into random access memory (RAM) each time encrypted with the secret encryption key, and commu- 
the terminal is powered up. The latter approach is ad- nicated to the subscriber terminal via the communica- 
vantageous in that system software can be modified, and tion network. The subscriber terminal would then de- 
each new release distributed via one of the channels of crypt the encrypted checksum and determine whether 
the communication network to each subscriber termi- 65 it matches the checksum computed by the subscriber 
naL This approach enables a system operator to upgrade terminal. 

the software in hterally hundreds of thousands of termi- A method is provided in accordance with the present 

nals merely by providing new software to be down- invention for preventing unauthorized parties from 
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mfUtrating aod controlling a communication network in 
which a booter image is downloaded to subscriber ter- 
minals. A portion of data is embedded in a booter image 
for use in computing a checksum. The booter image is 
downloaded into a subscriber tenninal, and a checksum S 
computed. The proper rhrr.ksnm which should result 
from the booter image is also computed. The checksum 
computed by the subscriber tenninal is compared to the 
proper checksum and control of the subscriber terminal 
is released to the downloaded booter image only if the 10 
checksums match. The checksum computation data can 
be changed on a periodic basis to frustrate efforts by an 
intruder to outsmart the systeoL 

BRIEF DESCRIFnON OF THE DRAWINGS jj 

FIG. 1 is a block diagram of a communication net- 
work embodying the present invention; 

FIG. 2 is a more detailed block diagram of a commu- 
nication network in accordance with the present inven- 
tion illustrating the threat posed by a system intruder; 20 
and 

FIG. 3 is a flow chart illustrating the checksum verifi- 
cation routine used in the apparatus and method of the 
present invention. 

DETAILED DESCRIFTION OF THE 
INVENTION 

FIG. 1 is a block diagram of a communication net- 
work 8 (which, for purposes of illustration, is a cable 
television network) embodying the present invention. A 30 
video headend 12 is coupled to the network to transmit 
television signals. The network shown is a single hub 
tree-and-branch cable system which achieves two-way 
connectivity through an intelligent headend packet 
repeater called a data channel access monitor (DCAM) 35 
10. The DCAM maps up to fifty 300 KHz wide, 128 
kbps upstream data channels into an equivalent number 
of downstream data channels, thereby transforming two 
unidirectional physical data paths into a single bi-direc- 
tional logical data path. These channels are then used as 40 
a global bus by all devices on the network, which can 
tune their modems to any given channel pair. Packets 
transmitted upstream by any terminal coupled to the 
network are received by DCAM 10, demodulated to 
dean up accumulated noise, checked for valid authori- 43 
zation headers via a table look up, and retransmitted on 
the associated downstream channel (assuming a prop- 
erly encrypted authorization code is present). The re- 
transmitted packet is received by all devices currendy 
tuiied to that channel, but is only accepted and decoded 50 
by the particular device to which it is addressed. Thus, 
fiill point-to-point communication can be achieved be- 
tween any two locations on the cable system. 

Multiple data sessions can share a single data channel 
using a standard contention scheme such as CSMA/CD 5S 
(carrier sense multiple access with collision detection), 
which efficiently distributes the available channel 
throughput without sacrificing instantaneous transmis- 
sion speed or response times. 

A network control center (NCC) 22 is responsible for 60 
taking the raw communication capability of the net- 
work and organizing and managing it For example, 
NCC 22 handles the billing of subscribers who use the 
network. Further, NCC 22 establishes sessions between 
host computers operated by service providers and sub- 65 
scriber terminals by assigning data channels to be used 
for each session. An authorization check is also pro- 
vided by NCC 22 to ensure that the users requesting 



4 

service are, in fact, valid subscribers with paid-up ac- 
counts. Another function of NCC 22 is to distribute 
traffic among the available channels, and to keep traffic 
statistics. NCC 22 can be located anywhere on network 
8, and does not have to be trunked into the headend. 

A host computer 20, typically operated by a service 
provider, gains access to network 8 via Xgates 16, 18 
which provide a standard X.25 interface to the host 
computer's front end while transparently transforming 
all data traffic into the internal protocols used on the 
network Xgates can also be used to. couple the network 
into long haul packet networks. An Xgate ZO is shown 
in FIG. 1 for this purpose. Such capability provides 
access to national data services such as those offered 
under the trademarks The Source and CompuServe, The 
network can be further expanded through links, such as 
link 32, for interconnection with other network hubs. 

An additional network component provided in accorr 
dance with the present invention is booter 14 which is a 
one-way transmitter. This unit cyclically transmits up to 
fifty 300 KHz wide 128 kbps data streams composed of 
either downloaded software . or actual information 
"frames** for display on subscriber terminals. The one- 
way booter channel, like the two-way channels, is ac- 
cessed by the terminal under software control via 
proper tuning of an integral modem in the terminal. One 
or more booter channels are reserved for distribution of 
the basic terminal operating software. The remaining 
channels on the network are available to authorized 
service providers who can upload information or soft- 
ware products over the cable system for continuous, 
load independent distribution. 

The provision of booter 14 provides a unique capabil- 
ity in the design of terminal products; namely, all termi- 
nals coupled to the network can be entirely software, 
rather than firmware based. The terminal operating 
system, communications protocol software, display 
package, and user interface software are all downloaded 
from booter 14 into RAM in the terminal each time the 
terminal is powered up. This differs significantly from 
prior art systems wherein such software was perma- 
nently burned into ROM. In the present system, each 
new release of system software is distributed from 
booter 14 via an appropriate booter channel, making it 
possible for a system operator to upgrade the software 
in subscriber terminals remotely. 

An example of a subscriber terminal is the personal 
computer 26 coupled to network 8 through a subscriber 
access unit (SAU) 24. The SAU is an intelligent, fre- 
quency agile 128 kbps modem. It allows the connection 
of a customer owned terminal or personal computer via 
a standard RS-232 or backplane connection, depending 
on the configuration. Additional subscriber terminals, 
or other components such as host computers can be 
coupled to network 8 through any of the various nodes 
28 illustrated 

The provision of a booter for downloading software 
into subscriber terminals has the drawback that a system 
intruder could download fraudulent software over the 
network, which data would be used to take control of a 
subscriber terminal without knowledge by the system 
operator or the subscriber. With such control, the in- 
truder could access various subscriber accounts to con- 
duct transactions not authorized by the subscriber. The 
present invention prevents an intruder ("attacker") 
from taking control of subscriber terminals. 

FIG. 2 shows how an attacker might try to take con- 
trol of a subscriber's accounts. A communication net- 
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work 38 includes an upstream channel 42 and down- the network control center, or at a separate test facility 
stream channel 44. A packet repeater 40 is provided to -coupled to the communication network. If the sub- 
repeat data from upstream channel 42 on downstream scnber terminal is to perform the checksum test, the 
channel 44. Legitimate booter 46 is coupled via a one- correct checksum for the downloaded booter image 
way path 58 to downstream channel 44 and transmits a 5 will be transmitted to the subscriber terminal in en- 
legitimate booter image to be received by subscriber crypted form from the NCC. The subscriber terminal 
terminals. A subscriber terminal 52 is shown coupled to wHl then decrypt the recdved checksum and compare it 
network 38 via path 70 (coupled to upstream channel to the checksum computed by the subscriber terminal. 
42) and path 72 (coupled to downstream channel 44). A Alternately, the subscriber terminal could encrypt the 
network control center (KCQ 48 is coupled to up- 10 checksum it computed and compare it to the encrypted 
stream channel 42 via path 62, and downstream channel checksum received from the NCC. ' 
44 via path 64. Similarly, service node 50 is coupled to If the NCC or a separate checksum test facility is to 
upstream channel 42 via path 66, and downstream chan- determine the validity of the checksum computed by 
nel 44 via path 68. the subscriber terminal, the subscriber terminal will 

In normal operation, network 38 operates as de- 15 encrypt the checksum it computed and transmit it to the 
scribed above in connection with network 8 of FIG. 1. NCC or other test facility. Again, the checksimi com- 
However, an attacker might attempt to infiltrate the puted by the subscriber terminal can be tested for valid- 
system by coupling an attacker booter 56 to the down- ity in its encrypted form or can be decrypted prior to 
sueam path 72 of subscriber terminal 52 via path 60. validity testing. 

Without some means of security, fraudulent software 20 If, at box 92, the checksum is found to be valid, con- 
could be downloaded &om attacker booter 56 into sub- trol passes to box 94 and control of the subscriber termi- 
scriber tmunal 52,.enabling the attacker to take control nal is released to the downloaded booter data. The 
of the terminal Software downloaded by an attacker ROM based program then ends at box 96. If, on the 
could be used to determine passwords and other rele- other hand, the checksum is determined to be invalid at 
vant data for accounts belonging to the subscriber. 25 box 92, control passes to box 98 and the false checksum 
Then, using an accomplice terminal 54 (coupled to is reported to the NCC. At box 100, the subscriber 
upstream channel 42 via path 74 and downstream chan- terminal awaits action from the NCC, and goes into an 
nel 44 via path 76) the attacker could access the sub- idle condition at box 102. 

scriber's accoimts to steal funds, goods, and services. When the NCC is informed that an invalid checksum 

In order to prevent such intrusion by an attacker, the 30 has been computed by a subscriber terminal, a message 
present invention provides an apparatus and method for is provided to the network operator so that appropriate . 
securing booter channel communication. The security investigation can commence. The existance of an in- 
arrangement is best described by referring to the flow valid checksum can indicate that an attacker booter 56 
chart of FIG. 3. (FIG. 2) was coupled to the subscriber terminal 52 in an 

When a subscriber terminal is powered up as shown 35 attempt to access a subscriber's accounts, 
at box 80, a ROM based program tunes the terminal's In order to further firustrate an attacker's efforts to 
modem to the booter channel for the network, as illus- intrude, the portion of the booter image from which the 
trated at box 82. checksum is computed can be changed on a periodic 

At this point, booter data will be downloaded into the basis (e.g. daily). The use of a complicated checksum 
subscriber tcrminal-s RAM as indicated at box 84. At 40 algorithm (such as CRC) makes it extremely difficult, if 
box 86, a checksum is computed from the downloaded not impossible, to reverse engineer the booter image to 
data, or at least a portion of the downloaded data. The enable an attacker to modify a fraudulent booter image 
checksum can be computed using a cyclic redundancy such that the fraudulent image will cause the subscriber 
code algorithm (CRC) well-known in the art For ex- terminal to compute a valid checksum. The combina- 
ample, a CRC-16 or CRC-24 algorithm can be used to 45 tion of the complicated checksum algorithm and peri- 
compute the checksum. The computation of checksums odic modification of the data needed to compute the 
in accordance with such algorithms is explained in de- checksum renders any attempt by an attacker to thwart 
tail in Tanenbaum, Andrew S., Computer Networks, the security arrangement virtually impossible. The peri- 
Prentice-Hall, Inc., 1981, pages 128-132.. Other check- odic change made to the legitinute booter image can be 
sum computing algorithms could alternately be used. 50 very minor. For example, changing a single byte in the 

Afler the checksum has been computed, an encrypted booter image will result in the computation of an en- 
communicadon is established with the network control tirely different checksimi by the subscriber terminal, 
center, as shown at box 88. ^Encryp^n^can-be. based What is claimed is: 

upon, a, sec^^criCT^^pjdoni^fcyP^^^^ 1. Apparatus for enabling on-line modification and 

unique to the subscriber terminal which computed the 55 upgrading of terminal software in a communication 
checksum. The use of secret node keys and encrypted network while maintaining the integrity of communica- 
communication based thereon is disclosed in the co- tion between a service provider and a subscriber using 
pending application referred to above. the network comprising: 

Briefly, in such an arrangement the network control booter means for downloading software via said corn- 
center maintains a record of the secret encryption key 60 munications network; 

of the subscriber terminal and uses the key for encrypt- a subscriber terminal, coupled to said communication 
ing communications to the subscriber terminal and de- network, including: 

crypting communications from the subscriber terminal. a secret encryption key, 

Sinodlarly, the subscriber terminal uses the secret en- means for initiating a communication with said 

cryption key to encrypt communications to the NCC 65 network to receive data downloaded from said 

and decrypt communications from the NCC. booter means, 

At box 90, the checksum is tested for validity. The means for storing data downloaded from said 

validity test can be made at the subscriber terminal, at booter means, and 
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means independent of said downloaded data for 
computiag a checksum from at least a portion of 
data downloaded from said booter means; 

means for testing said checksum for validity; 

means for preventing said subscriber terminal from 5 
executing software downloaded from said booter 
means unless the checksum is valid; and 

network control center means for maintaining a re- 
cord of said secret encryption key, whereby en- 
crypted communication between the subscriber ^0 
terminal and network control center means can 
take place with the encryption based upon the 
secret encryption key. 

X The apparatus of claim 1 further comprising: 

means for encrypting the checksum computed by said ^ ^ 
subscriber terminal using said secret encryption 
key; 

means for communicating the encrypted checksum 
over said communication network to the network 
control center means; and 

means associated with said network control center 
means for decrypting the encrypted checksum to 
etiable said checksum verifying means to verify the 
checksum for validity. 

3. The apparatus of claim 1 further comprising 
means associated with said network control center 

means for storing a valid checksum corresponding 
to data downloaded from said booter means; 

means associated with said network control center 
means for encrypting the stored checksum with 
said secret encryption key; 

means for communicating the encrypted checksum to 
the communication network; and 

means associated with said subscriber terminal for 3^ 
receiving and decrypting the encrypted checksum 
for ixq»ut to said verifying means, wherein said 
verifying means compares the decrypted checksum 
to the checksum computed by said subscriber ter- 
minal to verify proper correspondence thereof. 40 

4. Apparatus for protecting a communication net- 
work having an upstream communication channel and a 
downstream communication channel from illegitimate 
access by an unauthorized party comprising: 

booter means coupled to said downstream channel 45 
for downloading software via said communication 
network; 

a subscriber terminal coupled to receive data from 
said downstream channel and transmit data on said 
upstream channel, said subscriber terminal includ- 50 
ing: 

a secret encryption key, 

means for receiving and storing data downloaded . 

from said booter means, 
means for computing a checksum from at least a 35 

portion of data downloaded from said booter 

means, and 

means for establishing an encrypted communica- 
tion with said network wherein the encryption is 
based on sad secret encryption key; 60 

network control center means coupled to said com- 
munication network and including a record of the 
secret encryption key for enabling encrypted com- 
munication with said subscriber terminal; 

means for verifying the checksum computed by said 65 
subscriber terminal via an encrypted communica- 
tion established between the subscriber terminal 
and network control center means; and 



means for releasing control of said subscriber termi- 
nal to data downloaded from said booter means 
only if the checksum is found to be valid. 

5. The apparatus of claim 4 wherein the checksum 
computed by said subscriber terminal is encrypted and 
transmitted to said network control center means for 
decryption and verification. 

6. The apparatus of claim 4 wherein said network 
control center means further comprises: 

a record of the correct checksum for data down- 
loaded from said booter means; 

means for encrypting the correct checksum using said 
secret encryption key; and 

means for communicating the encrypted checksum to 
said subscriber terminal for comparison with the 
checksum computed by the subscriber terminal. 

7. A communication network comprising: 
at least one communication chaxmel; 

means for downloading data to a subscriber terminal 
coupled to said communication channel; 

means for storing downloaded data in said subscriber 
terminal; 

means for computing a checksum from at least a por- 
tion of downloaded data stored in said subscriber 
terminal; 

means for testing the checksum for validity; 

means for releasing control of said subscriber termi- 
nal to the downloaded data only if said checksum is 
valid; and 

network control center means coupled to said net- 
work for conmiunicating with said subscriber ter- 
minal in an encrypted basis, so that checksum data 
can be passed between the network control center 
means and the subscriber terminal for validity test- 
ing without infiltration by an unauthorized party. 

8. The communication network of claim 7 comprising 
a plurality of communication channels and means for 
tuning said subscriber terminal to a predetermined 
channel when the subscriber terminal is powered up to 
enable the subscriber terminal to receive data down- 
loaded on the predetermined channel. 

9. A terminal, for use in communicating on a commu- 
nication network, comprising: 

means fortuning to a booter channel on said network; 

means for receiving and storing a booter image 
downloaded on the booter channel; 

means for computing a checksum from at least a por- 
tion of data contained in said booter image; 

means for estabUshing an encrypted communication 
with another device coupled to said network to 
determine whether the computed checksum is 
valid; and 

means for executing software contained in said booter 
image to access a desired service available on said 
network only if the checksum proves to be valid. 

10. The subscriber terminal of claim 9 further com- 
prising read only memory means for storing instructions 
used to access said booter image and compute and vali- 
date said checksum. 

11. A method for preventing unauthorized parties 
from illegitimate access to a conmunication network in 
which a booter image is downloaded to subscriber ter- 
minals coupled to the network, comprising the steps of: 

embedding in a booter image a portion of data for use 

in computing a checksum; 
computing a checksum from booter image data 

downloaded into a subscriber terminal; 
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computing the proper checksum which should result 
from the hooter image if the hooter image is prop- 
eriy received by the subscriber terminal; 

comparing the checksum computed from the booter 
image downloaded into the subscriber terminal 
with the checksum computed from the known 
booter image using a encrypted communication on 
said network; and 
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releasing control of said subscriber terminal to the 
downloaded booter image only if the checksum 
computed by the subscriber terminal matches the 
proper checksum for the booter image. 

12. The method of claim 11 comprising the further 
step of: 

changing the checksum computation data embedded 
in said booter image on a periodic basis 
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